On April 28, 2011 Jacob Lew released an OMB memorandum Implementing Telework Enhancement Act of 2010 IT Purchasing Requirements, giving agency CIOs, in coordination with chief acquisition officers, 90 days to develop or update policies on purchasing computing technologies and services to enable and promote telework. Additionally, purchasing policies must address the information security threats raised by use of technologies associated with telework. While telework can produce resource savings and reduce time, expenses, and greenhouse gas production associated with weekly commuting, it also provides federal employees the ability to continue working during inclement weather, emergencies, or situations that may disrupt normal operations. However, telework is only as effective as the technologies used to support it, which is why it is critical for agencies to take measures to ensure that their employees are properly and securely equipped.
While this OMB memorandum grants agencies broad discretion in formulating telework purchasing policies to best suit their needs, agencies must at a minimum:
- Select and acquire information technology that is technology and vendor neutral and best fits the needs of the Federal Government
- Determine allowable IT products and services, including remote access servers, client devices, and internal resources accessible through remote access
- Prioritize use of government-wide and agency-wide contracts for new acquisitions and renewal of services to leverage the government's buying power
- Deploy new and modernize existing agency IT systems and infrastructure to support agency teleworking requirements
- Ensure that all devices and infrastructure comply with federal security and privacy requirements
- Ensure protection of sensitive information by properly disposing of devices no longer in use
Workforce mobility and citizens’ needs for readily accessible information create an inherent conflict with security, and devices and solutions that securely improve information mobility need to take center stage. Government networks must be protected with comprehensive solutions that control access into networks, ensure user identity, prohibit data leaks, reduce spam, prevent virus outbreaks, scrub traffic for unwanted usage to protect employee and citizen information, and provide secure access to government programs.
Although these facts have been well known for years, we will see yet another memorandum, again from OMB, on June 7, 2011. This forthcoming memo will provide guidelines to ensure the adequacy of information and security protections for information and information systems used while teleworking. It's about time. In this current environment of needing to lead by example, versus by email or memorandum, congratulations to the agencies that have successfully deployed telework. As cited in GCN last week Better government through telework: Agencies count the advantages, in addition to the real estate savings, agencies such as CDC are expanding their practices of providing encrypted laptops not only to teleworkers, but are also replacing traditional desktops with PCs. Good plan, as this allows this agency flexibility for quickly setting up additional future teleworkers by leveraging such equipment.
It's time to seriously deploy telework policies and procedures that are uniformly implemented and enforced across government. The lack of consistent policies and effective security measures are significant barriers to governmentwide telework. Governments also need to examine processes, tools, and organizational behaviors as they prepare for security breaches and attacks. Holistic approaches to information security include protection of devices, infrastructure, and applications, and policies and practices for workers. Successful government telework requires strong leadership, sustained management commitment and effort, disciplined processes, consistent oversight, and apparently, another memorandum.